This is an overview of a simple way to create a self signed TLS key pair for client / server authentication. We recommend you look at the script used by bazel for certificate generation.

Generated TLS self-signed certificates

After running the above script, you will have the following files:

ls /tmp/sslcert
ca.crt  ca.key  client.crt  client.csr  client.key  client.pem  server.crt  server.csr  server.key  server.pem

Configuring the buildfarm server

The certificate and private key can be referenced in buildfarm’s config as followed:

server:
  sslCertificatePath: /tmp/sslcert/server.crt
  sslPrivateKeyPath: /tmp/sslcert/server.pem

Configuring the buildfarm client

When calling the bazel client, pass the certificate via --tls_certificate:

bazel build
  --remote_executor=grpcs://localhost:8980 \
  --tls_certificate=/tmp/sslcert/ca.crt \
  <target>

Don’t forget to use grpcs:// instead of grpc://.

Combined credentials

You may have certificate and private keys in a combined pem file. For example, if you were to run cat /tmp/sslcert/server.crt /tmp/sslcert/server.pem > combined.pem you could provide combined.pem to both sslCertificatePath and sslPrivateKeyPath and get the same results.